1839284 Members
2313 Online
110138 Solutions
New Discussion

Re: hpux -is

 
SOLVED
Go to solution
john guardian
Super Advisor

hpux -is

Using the command from the subject line will boot into single user mode.

A question that mgmt wants answered is whether or not the boot request to single user requires a pwd? I've never seen one nor have I bothered to look into configuring one.

Anyone?

Thx.
16 REPLIES 16
Mel Burslan
Honored Contributor
Solution

Re: hpux -is

At the hpux OS installation time, you will be asked if you want this *feature*. I STRONGLY suggest you NOT TO DO THIS. If you require a root password at the single user login and you forgot the root password. The only way back into the machine is to re-install the OS.

My word of caution to you and your management.
________________________________
UNIX because I majored in cryptology...
Michael Steele_2
Honored Contributor

Re: hpux -is

I agree 100% with the above comment.

DO NOT LET MGMT START SETTING ADMINISTRATION STANDARDS LIKE SETTING PASSWORDS TO BOOT INTO SINGLE USER MODE!!!!

This is becoming very common as more and more traditional duties of the UNIX admin are being replace by point and click (* shoot *) software and and non UNIX admins who think it might be great to do what you just suggested but have no idea of the consequences.
Support Fatherhood - Stop Family Law
Pete Randall
Outstanding Contributor

Re: hpux -is

This is one of those questions that require great communications skills to answer. You have to explain that no, there is no password required but that is a feature, then go on to explain how you've limited console access through physical security, etc., etc.

In other words, you've got to sell management on the necessity of keeping it just this way.


Pete

Pete
Pete Randall
Outstanding Contributor

Re: hpux -is

Oh . . . . .

and you can't use the word "stupid" in the same sentence as "management".


Pete

Pete
Michael Steele_2
Honored Contributor

Re: hpux -is

LOL
Support Fatherhood - Stop Family Law
Mel Burslan
Honored Contributor

Re: hpux -is

>> and you can't use the word "stupid" in the same sentence as "management".

If you are tired of your job and you have a wish to commit career suicide, you can use them in the same sentence. Unless you are few days from retirement, I'd strongly suggest you line up another job before doing this though :)

Joking to the side, you need to have a iron-clad physical security to your data center and very well documented and controlled remote console access method (if you have one, and mind you, you should have one).
________________________________
UNIX because I majored in cryptology...
Bill Hassell
Honored Contributor

Re: hpux -is

This is an example of trying to 'protect' a system from one specific problem but not addressing the real issue. The real issue is gaining access to the system console. If management wants security for the systems, then 100% of all devices with a console port must have these ports isolated from all routed networks. One way is to disconnect all the console LAN cables (firewalls, routers, SAN switches, computers, UPS's, etc) and buy a roll-around table with a real terminal, cables and adapters. Of course, physical access to the data center is must also be restricted.

A better solution is to create a high security diagnostic network with no routers. Connectivity to this network is then limited
to an operations center with appropriate access controls, or for remote data centers, a high security box that can bridge over to the diag network.


Bill Hassell, sysadmin
Steven Schweda
Honored Contributor

Re: hpux -is

> [...] The only way back into the machine is
> to re-install the OS.

Really? There's no way to boot from, say, an
OS installation disc and make the repair?

Hasn't Solaris been requiring a password to
boot into single-user mode since SunOS 5.0?
(I seem to recall being amazed at the change
back when 4.1.4 was still the norm.)

I do it so seldom that I've forgotten most of
what I ever knew about it, but I seem to
recall being annoyed, but not seriously
inconvenienced, by having to supply a "root"
password always.

> [...] and you forgot the root password. [...]

3M sells an inexpensive and readily available
solution to this problem.

http://www.post-it.com

I don't think that they make a product
specifically designed for application to the
bottom of a console keyboard, but I believe
that several existing variations can be used
this way. (Most file cabinets also offer
many obscure internal surfaces which can be
employed to evade unwise management
decisions.) In some cases, explaining the
likely results of a particular policy
decision can stimulate reconsideration of
that decision. When that fails, other (more
creative) schemes are usually available.

Re: hpux -is

>> The only way back into the machine is to re-install the OS.

hmmm it's a long time since I had to do this, but I'm pretty sure in this situation in the past I've been able to boot off a DVD or Ignite server then mount up the root partition and remove/replace root's password hash in /etc/passwd or /etc/shadow ??

HTH

Duncan

I am an HPE Employee
Accept or Kudo
Steven Schweda
Honored Contributor

Re: hpux -is

> >> The only way back into the machine is
> to re-install the OS.
>
> hmmm [...]

Yeah. In my experience, almost any statement
which begins "The only way" is probably
wrong. This one seems to follow the pattern.
Ismail Azad
Esteemed Contributor

Re: hpux -is

Hi,

Regarding your original question, authentication at single user mode is one of the features of the trusted system and as gracefully mentioned the problem exactly lies in getting access to the system console.

If you carefully look at the SMSE database, you will notice a BOOT_AUTH flag which describes exactly what you are saying but I have personally not used this flag but is definitely documented in /etc/security.dsc on a 11.31 operating system.

Regards
Ismail Azad
Read, read and read... Then read again until you read "between the lines".....
chris huys_4
Honored Contributor

Re: hpux -is

Hi John,

Your management sees the security issue to narrow.

There are 2 ways to access a HP-UX system. Via the gsp(pa-risc)/mp (itanium), over the lan and that is protected by passwords.

And via physical access to the console of a system and that is in most companies, restricted by only giving access to the datacenter, were the system resides, to the ones whose business it is, to maintain these systems.

So also "going into single user mode" is protected" in one way or another "by security".

Besides, I would not call, the efi prompt, the "subject line". ;)

Greetz,
Chris
Viktor Balogh
Honored Contributor

Re: hpux -is

> Besides, I would not call, the efi prompt, the "subject line". ;)

he meant the "hpux -is" command, it's the subject of this topic. :)
****
Unix operates with beer.
Rick Christmas
Regular Visitor

Re: hpux -is


@Steven Schweda wrote:
> [...] The only way back into the machine is
> to re-install the OS.

Really? There's no way to boot from, say, an
OS installation disc and make the repair?

Hasn't Solaris been requiring a password to
boot into single-user mode since SunOS 5.0?
(I seem to recall being amazed at the change
back when 4.1.4 was still the norm.)
Does anyone know the procedure for using the OS disk to gain access
and reset the root password? I am locked out of 7 machines running HPUX 11.11i.
The root password has expired (as did the sys admin) and since everyone has tried
what they thought was surely the right password, all but one of the boxes the account is
also locked. I tried to telnet to the MP port and tried serial thru com1, both failed. They are all
b2600 workstations. I'm really dreading having to rebuild them all just because of the password.
Thanks in advance for any help.
R Xmas
Steven E. Protter
Exalted Contributor

Re: hpux -is

Shalom,

A console login will permit a login and therefore let you reset the password.

You don't need to rebuild them.

You don't have to rebuild them. You can hook up a serial console, log in with the old root password and then change the root password.

b2600 is a workstation, so you should be able to hang a keyboard and monitor off them and THAT will be the console.

If you don't know the root password, then you need to power cycle.

At the first prompt interupt at the keyboard.

bo pri
Y <enter> interact with the prompt.

hpux -is

If that is password protected you do need to boot off OS media. Then you can null out the root password, probably in the /etc/passwd file and then reboot the system and quicly put in a password.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Hakki Aydin Ucar
Honored Contributor

Re: hpux -is

I believe , root password recovery is possible ( I was forced  to do sometimes..) like duncan and Steven described here.

Solaris needs OS DVD but HP-UX do not need

Besides, you just need a serial OR remote console.

 

But , I think,  this is good for an administrator, not for mngmt. so mngmt need an administrator to do works like this.